1. Security of your digital content and
media applications on AWS
Usman Shakeel | Principal Solutions Architect | Amazon Web Services
Ryan Holland | Director of Cloud Platforms | Alert Logic
2. Who is attacking and why?
Cyber Criminal
Hacktivist Advanced
Persistent
Threat (APT)
3. Associated Press – Hacked Twitter Account
• 1% drop in S&P 500
• $136 Bn market drop
• US Treasury bond yield drop
• $ weakens against ¥
4. TV5Monde Outage
• 11 TV channels off air for 3 hours
• Website & Facebook page defaced
• Email server taken offline
5. Attack types against media vs other industries
• Higher than Average
• DDOS
• Brute Force
• Application Attacks
• Lower than Average
• Part of a botnet
• Scanning
• Recon
6. Shared Security Model
• Secure coding and best practices
• Software and virtual patching
• Configuration management
• Access management
• Application level attack monitoring
• Access management
• Patch management
• Configuration hardening
• Security monitoring
• Log analysis
• Network threat detection
• Security monitoring
• Logical network segmentation
• Perimeter security services
• External DDoS, spoofing, and scanning prevented
• Hardened hypervisor
• System image library
• Root access for customer
• Configuration best
practices
7. Getting to a Secure Baseline
Visibility of the AWS Environment
AWS Security Best Practices
Vulnerabilities on the Instances
8. Your content
Your Crown Jewels…
Storage | Access Control, Encryption at rest, Access monitoring …
Network or Physical Transfer | Encryption in transit, Network vulnerabilities, …
Value added Services | Encryption and Key Management, Access Controls, …
9. Shared Responsibility
• AWS responsible for all
backend infrastructure
security
• Customer is responsible for
AWS architecture in their
account and application
security
10. Security of the Cloud
Facilities
Physical security
Physical infrastructure
Network infrastructure
Virtualization infrastructure
Certifications
MPAA best practices alignment
https://aws.amazon.com/compliance/mpaa/
Cloud Security
Organization &
Management
Operations Data Security
ISO
MPAA
11. Security on the Cloud (application and content security)
Application Security
Development
Lifecycle
Authentication &
Access
Secure Coding &
Vulnerability
Management
Digital Security
Content
Management
Content Transfer
Storage | S3, Glacier, EBS, Instance Store, EFS
Processing| EC2, Database (RDS/DynamoDB), EMR, ECS, Lambda, SNS, SQS, SWF
Network | VPC, VPN, Direct Connect
Access | IAM, AWS Config, CloudTrail, CloudWatch
13. Security of Studio/Post House Workflows
• FAQs
– Highly Valued Pre-Released Assets
– Secure Transfer (physical in many cases)
– Encryption & Key Management
– Access Control
– Deletion Protection
– Isolated from public access (internet)
– Logging and Monitoring
– Content location
14. Server-side encryption using KMS
Amazon S3 AWS KMSRequest
Policy
Keys managed centrally in Amazon KMS with permissions and auditing of usage
15. Security of the Studio/Post House Workflows
(Content encryption and access)
corporate data center AWS cloud
users
Content
Servers
disk
tape storage
Processing
Layer
Amazon S3
Amazon EBS
Amazon Glacier
KMS/
HSMClient side
encryption
role
IAM
role
Encrypted
Content
AWS Import/Export
Snowball
16. Availability Zone A
Private subnet Private subnet
AWS
region
Virtual Private
Gateway
Content Value-add
Service
Content Value-add
Service
Availability Zone B
Locking down S3 access with virtual private endpoint (VPCE)
Amazon
S3
VPC
VPN
connection
VPC Endpoints
• No IGW
• No NAT
• No public IPs
• Free
• Robust access
control
Customer
network
17. Private subnet Private subnet
AWS
region
AppsValue-add Service
VPC Endpoints in action
VPC
High Valued Assets Everything else
VPCE1 VPCE2
Private subnet
Apps
1. Subnet Route Table
gives connectivity to
the VPCE
2. VPCE IAM policy
restricts what buckets
the VPCE allows access
to
3. Bucket Policy restricts
access to specific
VPCEs (or VPCs) ONLY
4. Security Groups on
instances further
restrict which
resources can access
S3
18. Security of the Studio/Post House Workflows
(No Public network traversal)
corporate data center AWS cloud
users
Content
Servers
disk
tape storage
Processing
Layer
Amazon S3
Amazon EBS
Amazon Glacier
KMS/
HSMClient side
encryption
role
IAM
Encrypted
Content
role
Direct Connect
S3VPCEndpoint
21. VPC Flow Logs: Automation
Amazon
SNS
CloudWatch
Logs
Private subnet
Value-add Service for
High Valued assets
AWS
Lambda
If SSH REJECT > 10,
then…
Elastic
Network Interface
Metric filter
Filter on all SSH
REJECTFlow Log group
CloudWatch
alarm
Source IP
22. Additional Security Controls
(Elastic Transcoder Security)
• Encryption at rest
Server managed keys
Client provided keys
• Integration with AWS Key Management Service
Amazon Elastic Transcoder only accepts AWS KMS protected keys
Key is never written or stored in cleartext
• Encryption for HLS streams
Built on top of “client provided keys” API
Amazon Elastic Transcoder generates HLS playlists embedding URI for decryption key
• Digital Rights Management
PlayReady DRM packaging
• CloudTrail Integration
AWS CloudTrail
Elastic Transcoder
KMS
Amazon S3
role
Watermarking
24. Security of the Distribution (content transfer)
Workflow (B2B)
AWS cloud
Proxy Layer (Optional)Amazon S3
KMS/
HSM
IAM
role
S3 VPC Endpoint
Internal Users
Vendors/Partners
Affiliates/Distributors
Fine grained temporary access
Temporary Access
Temporary Access
Access Logs
Remote Application
Streaming
25. A secure way to physically transfer content – at scale
Scale and Speed
• Up to 50TB Capacity per device
• 10Gbps and 1Gbps connectivity
• Parallel data transfer enables PBs transferred in a week
Secure
• Tamper-resistant enclosure
• 256-bit encryption with KMS
• Secure data erasure
Simple
• Manage entire process through AWS Console
• Lightweight data transfer client
• Notifications
Amazon Import/Export Snowball
26. Security of Content Distribution Applications
• FAQs
– Access Control, Rights Management & Content
Monetization
– DRM Packaging
– Encryption
– Logging and Monitoring
27. AWS mechanisms for securing media delivery
Token / signed
URLs
AES encryption
DRM
Geoblocking
Watermarking
Amazon CloudFront – Private Content (Signed URLs, signed Cookies, OAIs)
Amazon Elastic Transcoder – HLS with AES-128 encryption
AWS Key Management Service – Key Management for Amazon Elastic Transcoder, Amazon EC2, and
Amazon S3
Amazon Elastic Transcoder – PlayReady DRM packaging
Amazon CloudFront – Geo-restriction
Amazon Elastic Transcoder – Visual watermarks
28. Amazon S3
(Media Storage)
Amazon CloudFront
CDN Security (Amazon CloudFront Security)
End User
HTTP
• CloudFront’s private content feature
Only deliver content to securely signed requests
• HTTPS ONLY requests/delivery
• Signed URL verification
Policy based on a timed URL or a CIDR block of the requestor
• HTTPS ONLY origin fetches
• AWS WAF
• Trusted signers
• Access logs
• CloudFront origin access identity
• Signed Cookies for Private Content
Include Signature in the cookie itself
Delivery EC2 Instances
Security Group
Signed Request
Amazon S3
(Logs Storage)
Signed Cookie
Verification
AWS WAF
30. Log, Monitor, Act Proactively
You are making API
calls and accessing
your content ...
On a growing set of
services around the
world accessing your
content
Amazon CloudTrail is
continuously
recording API calls…
And delivering log
files to you…
Elastic Load
Balancing
Amazon S3 Amazon
Glacier
Amazon
CloudFront
Amazon S3/Amazon
CloudFront/App Logs
Access Logs
Feed Logs in Amazon
Cloudwatch or monitor
patterns on Logs
Act Fast or automate
based on realtime
notifications and alerts
Amazon CloudTrail
Elastic
Transcoder
31. Launch a CloudFormation stack
with all the infrastructure
resources for a specific project
Autoscale the stack as
appropriate
AMI
CloudFormation
Template
CloudFormation
Terminate
Template
Recycle Infrastructure often
32. A few other topics
• FAQs
– Third Party Media Security Products
• Watermarking
• DRM
– Software Patching and Updates
– Real-time notifications on any security/access
breaches/anomalies
34. Monitoring Activity in your environment
Visibility of the AWS Environment
AWS Security Best Practices
Vulnerabilities on the Instances
Monitor Web Application Traffic
Implement Network Intrusion
Capture Log Data
35. Security
Analyists
Bringing it together
Visibility of the AWS Environment
AWS Security Best Practices
Vulnerabilities on the Instances
Monitor Web Application Traffic
Implement Network Intrusion
Capture Log DataAnalytics
38. Compliance
AWS
CloudTrail
Auditing events
from your AWS
infrastructure
Cloud
Defender
Collection of
CloudTrail logs and
analysis
Notification on
Business Rules
Exceptions
Reporting
Customer
IT Operations and
Security Team
consume output
Customer
Defines policies to
meet compliance